Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« August 2010 | Main | October 2010 »

September 27, 2010

Could the fight against ATM fraud use the help of biometrics?

Biometrics is defined as "the measurement and analysis of unique physical or behavioral characteristics especially as a means of verifying personal identity." There are several different identifiers that may be used in biometrics, including fingerprint and hand geometry, voice and vein recognition, as well as retina, iris, and facial scans. The concept of biometric technology as a customer authentication tool to protect the identity and accounts of individuals from fraud or theft is promising. However, relinquishing something as personal as a unique trait may leave some skeptical and others simply unnerved.

But can privacy concerns or consumer apprehension over the use of biometrics overcome the need to address the growing instances of ATM fraud?

Physical attacks on ATMs increase
According to Javelin Strategy & Research, in 2009, 10 percent of fraud victims in the United States experienced fraudulent ATM cash withdrawals. These schemes typically involve the use of a skimming device that may sit above the actual card reader and capture PIN entries. Other methods are more brazen and involve the physical act of pulling an ATM from the wall or floor and disassembling it elsewhere. Additional types of ATM attacks may involve data breaches, social engineering, and software vulnerabilities.

Successful adoption of biometric technology
Although the thought of biometric technology may conjure up images of George Orwell's 1984, for years now, several major Japanese banks have been using some form of biometric technology to combat ATM fraud. One example is the Bank of Tokyo-Mitsubishi, which uses palm vein-pattern biometrics for account and identity authentication. After inserting the card and entering a PIN, the user holds his or her hand over a sensor on the ATM for verification purposes. Because palm vein patterns are unique to each individual, others are not able to withdraw money using stolen cards. The palm vein information is stored in the card itself, which also keeps the biometric information hidden from bank employees.

In 2006, a new Japanese law made banks liable for fraudulent ATM withdrawals. Prior to the law's passage, banks did not impose withdrawal limits and did not protect against losses due to theft. As a result of the new law, today more than 90 percent of Japan's banks use some form of vein-pattern recognition.

Biometrics obstacles
A lack of standardization and the costs of implementation ring in at the top of the list when we consider why the financial services industry is apprehensive about integrating this technology. Also topping the list are privacy concerns and general consumer apprehension. But surprisingly, consumers have offered positive feedback when asked about the use of biometrics to combat fraud. In fact, when asked what they would choose, more consumers preferred using biometrics as an additional authentication tool over a one-time password device.

Additional Authentication Methods at ATMS by Age
Enlarge Enlarge

Will banks be willing to invest the time and money into technology that may or may not become an industry standard? Or are some banks waiting for other banks to serve as pioneers in the United States before they invest in biometric ATM machines?

Creating a chain of trust
U.S. consumers have historically shown reluctance to embrace new technologies until their reliability and trustworthiness have been vetted in the marketplace for a number of years. Part of building this trust will require building a track record of robustness with respect to both security and reliability. While concerns about biometrics may abound, these concerns can be addressed by educating the user and industry.

The concept of biometrics shows great potential for combating ATM fraud, but is it the panacea? Or is the key simply using technology more advanced than that employed by the bad guys, staying one step ahead of them rather than one step behind?

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

September 27, 2010 in ATM fraud, biometrics, fraud | Permalink


Oddly enough this article came out recently:



This isn't to say that combining a biometric with a card and PIN could make it less 'inherently fallible'...

The biometric needs to be reliable enough to replace one of the authentication factors with a more effective method. Otherwise you are creating more work/effort/barrier for the consumer to transact with the payment method.

Posted by: Mike Urban | September 29, 2010 at 06:01 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 20, 2010

Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2)

Untitled Document

Last week, in Part 1, we took a conceptual look at the issue of balancing financial privacy interests with catching criminals. This week we look closer at the subject, with an eye on the legal landscape of financial privacy laws and law enforcement's ability to access financial records under the existing laws.

The legal battle between law enforcement and personal privacy in the United States is as old as privacy law itself, and maintaining a balance between the two has for years required continuous maintenance of financial privacy laws. One of the most recent changes occurred in 2001, with the introduction of the Patriot Act. While the Patriot Act gives law enforcement agencies easier access to financial information so they can intercept terrorist financing and prevent money laundering, the Patriot Act has also been used routinely to combat nonterrorist criminals.

But have we struck the right balance yet? Or are stronger financial privacy parameters needed to tip the scales in favor of either the consumer or law enforcement?

The financial privacy law landscape prior to the Patriot Act
Historically, customers have expected their bank records to be held in confidence, relying largely on their right to financial privacy based on their contractual agreement with the bank. But in 1970, the Bank Secrecy Act (BSA) became law, and turned that expectation upside down. The BSA began requiring financial institutions to maintain certain records on their customers and authorized the Secretary of the Treasury to require financial institutions to report certain financial transactions. That same year, the Fair Credit Reporting Act (FCRA) was passed, whose goal was to safeguard consumer financial information by limiting the availability of consumer credit reports only for specific "permissible purposes."

In 1978, the Right to Financial Privacy Act was passed, which generally precluded the disclosure of a consumer's individual financial records to a government authority without the customer's consent, absent a subpoena or other judicial order. In 1999, Title V of the Gramm-Leach Bliley Act addressed several additional issues relating to the protection of nonpublic personal information maintained by financial institutions. Since their enactment, each of these statutes has undergone several amendments, mostly in response to the competing interests between a consumer's right to financial privacy and law enforcement's legitimate need to access consumers' financial records.

The Patriot Act, enhanced law enforcement provide access to customers' financial records
The Patriot Act allows law enforcement to develop a strategy for catching the bad guys by virtue of significant changes in the regulatory scheme of financial privacy, including new "Know Your Customer" rules, and allowing the sharing of information between law enforcement and financial institutions. Specifically, section 314(a) of the Patriot Act allows law enforcement agencies to gather financial data about a person being investigated.

Under section 314(a), a federal law enforcement agency investigating either terrorist activity or money laundering may request that FinCEN (the U.S. Department of the Treasury's Financial Crimes Enforcement Network) provide certain financial information from a financial institution or group of financial institutions. FinCEN then turns to the financial institutions and asks them to search their records to determine whether they maintain or have maintained accounts for, or conducted transactions with, the individual or entity specified by the law enforcement agency.

If a financial institution has a record of dealing with the subject of the inquiry, it must report back to FinCEN, which in turn shares the collected financial information with the law enforcement agency. Financial institutions may not disclose that FinCEN or the requesting agency made such an information request. No search warrant or subpoena is required.

Section 314(a): Beyond terrorist financing and money laundering
According to FinCEN, investigations incorporating section 314(a) requests have included a Hawala operation, cigarette smuggling, arms trafficking, investment fraud, and an international criminal network. Anonymity stifles the ability of law enforcement to combat criminal activity. Consequently, one of the biggest challenges confronting law enforcement officials is connecting the dots when trying to catch the bad guys. However, given the delicate and often strained balance between the privacy laws and law enforcement’s need to access financial records, can a sacrifice in financial privacy result in a balancing benefit in more effective law enforcement, or does law enforcement have adequate tools today to intercept criminal activity?

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

September 20, 2010 in data security, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2):


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 13, 2010

Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2)

Many, many years ago, when I was an elementary school student, I experienced the excitement of that now-defunct practice called "recess." This outdoor break in the school day allowed students to blow off steam, get some exercise, and learn social playground skills. It also allowed weary teachers to have a break from us. One of my favorite things on the playground was the "teeter-totter," the simple, two-person balancing board affixed to a fulcrum. The boredom of just going up and down was interrupted by doing so with force and speed or by surprising one's partner by jumping off, thereby causing the other party to descend rapidly, sometimes causing his/her bottom to hit the ground before the feet. More challenging, however, was the concept of the two riders trying to position themselves so that the teeter-totter would actually balance itself in a way that both parties would be suspended off the ground. Great fun!

Balancing data privacy rights
Strangely, this activity bears a strong resemblance to what we find ourselves doing in the payments system today as we try to balance a consumer's right to data privacy with a service provider's responsibility to protect a customer from financial loss. Achieving this balance has become a time-consuming and expensive activity for the payments industry and for law enforcement agencies charged with catching bad guys after they breach protected files.

The responsibilities inherent in providing data privacy protection are complicated because data privacy laws today are set largely at the state level. Consequently, some variance exists in due diligence. Companies whose customers span multiple states struggle to deal with different requirements and remedial actions should a data breach occur. Frequently, a company adopts procedures that comply with the most rigid of the laws, in essence satisfying the "greatest common denominator," the effect of which is to gravitate toward a de facto national standard in federal laws on data privacy.

Responsibilities in managing data breaches
No fewer than 24 federal laws exist today that attempt to protect the privacy of some aspect of our personal and business lives. However, there is no overarching federal legislation in place that specifically addresses financial data privacy. Such bills have been drafted, but they are logjammed in Congress behind more pressing matters. At the state level, virtually all states have some form of financial data privacy legislation on the books. For the most part, the banking industry has looked at the construct and verbiage of the 2002 California law as the standard of care for all. In essence, the law requires a company to report any breach in which a customer's name is compromised in combination with a Social Security number, a driver's license number, or any bank account information, including debit and credit card numbers. More recently, in March, Massachusetts adopted a seemingly more stringent law that speaks less to the need for post-breach remedial action and more to the prevention of breaches in the first place. In this way, data privacy legislation seems to be converging with the "commercially reasonable" data security requirements of Article 4A of the Uniform Commercial Code.

Ultimately, trouble arises when organizations are forced to guess what standards are commercially reasonable. Trouble also arises when companies attempt to minimize exposure by extending the definition of protected data to include non-personal information, such as company names and other identifiers resident in payment transaction records. While courts will have to sort out the first issue, the practice of businesses adopting self-imposed, expanded data protection standards is another matter.

The problem here is twofold. First, excess caution will inevitably lead to higher costs that have to be recovered elsewhere in a bank's profitability formula. Frequently, this occurs through the institution of some form of account. Second, over-interpretation of laws creates barriers to effective industry controls and processes for detecting and mitigating fraud, as well as making the regulatory and law enforcement aspects of fraud mitigation more cumbersome and expensive. Where, then, is the balance point on this teeter-totter of financial privacy?

Where do we go from here?
Unfortunately, the answer may ultimately lie in creating some umbrella national legislation that tries to strike the right balance. Such legislation must allow for a cadre of "trusted parties" who bear the responsibility for protecting data as a price for collecting it so as to reduce financial crimes. As a consumer, I certainly don't want anyone misusing my personal information, but I also want those who do so to get caught and pay the price. It is only then that the cycle of improvement can take place—more forcible enforcement, more prison terms, fewer bad guys in the market, less privacy invasion, fewer sleepless nights. Inevitably, the balance point on a teeter-totter only occurs when one party pushes off first—and that may be the regulators and law enforcement.

By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum

September 13, 2010 in data security, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2):


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 7, 2010

Is KYC DOA? The tribulations of trying to know your customer

Based on recent nightly news coverage, it appears that armed robbery has entered a new era of "brazenness," as robbers seem to commit their crimes without the cover of a disguise, despite the growing omnipresence of security cameras. I seem to recall that in the good old days of TV westerns, the robbers always wore disguises—at least they covered their faces with bandanas. Unfortunately, in the world of cybercrime, the disguises are still a basic part of the uniform as bad actors go about the business of laundering money, financing terrorists, and committing general computer crimes.

Increasingly in the wake of the Sept. 11 attacks, the responsibility for wrestling with detecting criminal financial activity lies with banks, subject to the provisions of Section 326 of the Patriot Act. In essence, the Patriot Act extended the earlier requirements of the Bank Secrecy Act to place financial institutions in the center of a process to know more and more about their account holders. Generally described as the "Know Your Customer" (or KYC) provisions of the act, Section 326 requires financial institutions (now broadly defined to include everything from traditional banks to gambling casinos) to gather, record, and report a great deal of specific information about their business and consumer customers.

Customers have reacted to this heightened information-gathering process with some frustration, yet it is simply the consequence of the global village in which we now live. The standards for such information gathering are cataloged in the Customer Identification Program (CIP) requirements of the Patriot Act, but many institutions, in an effort to protect their bank's financial welfare and avoid criticism from regulators about adhering to the letter of the law only, have extended their programs into the area of customer due diligence (CDD). CDD embraces broader information gathering that may frequently seem intrusive to the customer. For example, CDD may ask customers to describe the nature of transactions flowing through their accounts so that the bank can establish a risk rating for the accounts. However, in today's reality of global cybercrime, have we come to the point where even extended CDD may not be sufficient?

The emergence of third parties in the payments arena
This question is accentuated by the increasing roles of third parties in the payments system. Many third parties are legitimately engaged in providing services and technology support to businesses and banks alike in order to facilitate a more efficient use of the payments system. For example, some companies offer ACH or electronic check origination services to smaller businesses that cannot easily afford the acquisition of in-house systems to accomplish certain payment functions. While it is reasonable to assume that a bank can perform due diligence reviews on such third parties, history has been a harsh teacher in revealing that the third party (the bank's customer) can be well intentioned, but some of the companies they provide services to (the customer's customer) may be less honorable. Consequently, we talk in the trade of the fact that banks must now know their customer's customer (KYCC).

It turns out that this is not an easy thing to do. Nor is it easy to tell their customer's customer how to do it. For instance, many of the customer's customers may be startup companies, entrepreneurs pursuing the dream, or relatively small niche businesses. Some such firms start legitimately and intentionally act innocently until such time that they are positioned to commit significant fraud. In other words, the robbery suspects in cyber space do wear bandanas and they do disguise themselves so that no one can make an easy determination in advance as to their trustworthiness. In fact, they do it so well that we must ask, "Is KYC dead on arrival?" in this modern world of payments.

It is increasingly apparent that the answer is, "No, KYC isn't dead, but neither is it enough." A good KYC plan is better than no plan and is needed to comply with the Patriot Act, but we cannot possibly expect such a plan to be foolproof. Instead, we need to anticipate the possibility of a rogue player and complement KYC with other controls. Ultimately, this means that noncard transaction processing systems need to begin to adopt many of the practices used in card systems, including data forensics to detect and address potentially fraudulent behavior before it happens or as soon after it happens as possible.

In addition, it may be time for the industry, working with regulators, to examine the growing importance and risk profiles of nonbank entities engaged in the payments space. Most of today's fraudsters fall outside of the regulatory purview of bank supervisors and examiners, leaving the field to agencies such as the Federal Trade Commission. In 1850, the Pinkerton Agency was formed to assist the government in finding and arresting bank robbers. Perhaps we need a modern-day cyber version of the Pinkertons, armed with powerful networked computers to reach out and oversee the operations of a bank's customer's customer on behalf of regulators and law enforcement bodies everywhere. At any rate, a fresh look at this topic couldn't hurt.

By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum

September 7, 2010 in fraud, KYC, law enforcement, payments, payments risk, regulators | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Is KYC DOA? The tribulations of trying to know your customer:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad